Florz
/
ssh-port-forwarding
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

clarify a few things an complete ssh parameters description

This commit is contained in:
Florian Schlegel 2022-04-14 19:56:57 +02:00
parent dcb2866170
commit f7b3889b7f
1 changed files with 19 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
README.md
View File

@ -1,7 +1,7 @@
# ssh-port-forwarding
(use plain openssh to do remote port forwarding)
There are many good reasons to do secure port forwarding through ssh. For example if you own two servers in different datacenters and you want to connect to a single service which is less restricted when accessed locally (e.g. port 25 for SMTP) or you want to forward a service from a system behind a firewall (e.g. a web service on your home Server).
There are many good reasons to do secure port forwarding through ssh. For example if you own two servers in different datacenters and you want to connect them to a single service which is less restricted when accessed locally (e.g. port 25 for SMTP) or you want to forward a service from a system behind a firewall (e.g. a web service on your home Server).
Traditionally you would use autossh to manage permanent ssh connections. However through many hours of testing this has prooven unreliable in many ways. When connecting multiple times to the same server autossh by default uses the same ports for monitoring, which leads to the termination of at least one connection. There also were inexplicable cases when sshd remained running on the server, while the client was actually disconnected and could not restore the connection due to the broken process on the server.
Luckily opennsh made autossh redundant because it already offers built-in monitoring. No additional monitoring ports are necessary anymore. However, there are quite a few options that you should know about in order to improve security and reliability of such a setup. This is the motivation behind this tutorial.
@ -21,7 +21,7 @@ GatewayPorts clientspecified
ClientAliveInterval 5
ClientAliveCountMax 3
```
This allows any user to forward his local ports to an unprivileged public port on the server (`ssh -R`). You have to restrict this late on through the `permitlisten` variable in the `authorized_keys file`. The other two variables specify how often the server should send keep alive messages and how many missed messages from the client it will tolerate. The same has to be set on the client side, but there it can be done as a parameter.
This allows any user to forward his local ports to an unprivileged public port on the server (`ssh -R`). You have to restrict this later on through the `permitlisten` variable in the `authorized_keys file`. The other two variables specify how often the server should send keep alive messages and how many missed messages from the client it will tolerate. The same has to be set on the client side, but there it can be done as a command line parameter.
### special user account
@ -43,14 +43,14 @@ and `ls -lsha ~ssh-port-forwarding/.ssh/` should look like this:
### Configuring access rights
This is all done in `/home/ssh-port-forwarding/.ssh/authorized_keys`.
First use the `ssh-keygen` command to create a private and public key pair on the client side. Don't type any password! Then use `cat ~/.ssh/id_rsa.pub` to display the content of your newly created public key. After that add a new line in the `authorized_keys` file on the server. Use the following line as an example. Your key starts at `AAAA...` and this all needs to be in a single line per key.
`restrict,command="",port-forwarding,permitlisten="localhost:22",permitopen="localhost:22" ssh-rsa AAAA...`
First use the `ssh-keygen` command to create a private and public key pair on the client side. Don't type any password! Then use `cat ~/.ssh/id_rsa.pub` to display the content of your newly created public key. After that add a new line in the `authorized_keys` file on the server. Use the following line as an example. Your clients public key starts at `AAAA...` and this all needs to be in a single line per key.
`restrict,command="",port-forwarding,permitlisten="localhost:9999",permitopen="localhost:80" ssh-rsa AAAA...`
* `restrict`: this disables all current and future forwarding options (we will whitelist what we need)
* `restrict`: this disables all available and future forwarding options (we will whitelist what we need)
* `command=""`: don't allow client to send a command, set an empty forced command instead
* `port-forwarding`: allow port forwarding
* `permitlisten="localhost:22"`: restrict client to create (via `ssh -R`) port 22 on the server only, which will fail (default for security reasons)
* `permitopen="localhost:22"`: restrict client to access (via `ssh -L`) ssh port on server only (default for security reasons)
* `permitlisten="localhost:9999"`: permit client to create a listening socket (via `ssh -R`) on port 9999 on the server, which forwards requests to a service on the client
* `permitopen="localhost:80"`: permit client to access (via `ssh -L`) port 80 port on server, which will then be offered as a local port on the client
The `permitopen` and `permitlisten` options can be used multiple times in a row. The syntax is as follows:
* `permitlisten="[host:]port`
@ -60,7 +60,7 @@ The `permitopen` and `permitlisten` options can be used multiple times in a row.
* `*` allows access on all ports (e.g. from the Internet) if `GatewayPorts clientspecified` is set in `/etc/ssh/sshd_config`
* `permitopen="host:port"`
* `host` is the hostname or IP address of the server that your server should be allowed to connect to
* `port` is the port number on the `host` that should be allowed to be forwarded to the client
* `port` is the port number on the `host` that will be forwarded to the client
## Client side configuration
You should run the client side ssh command in a loop because it is tuned to terminate as soon as errors are detected. Don't worry, this is well tested. If you are old school you simply put this into `/etc/rc.local`:
@ -81,17 +81,17 @@ Don't forget to mark the script as executable: `chmod +x /etc/rc.local`
The client side ssh command looks like:
`ssh ssh-port-forwarding@myserver.example.com -TNnqakx -o "TCPKeepAlive yes" -o "ServerAliveInterval 5" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure yes" -L [...] -R [...]`
* `-T`
* `-N`
* `-n`
* `-q`
* `-a`
* `-k`
* `-x`
* `-o "TCPKeepAlive yes"`
* `-o "ServerAliveInterval 5"`
* `-o "ServerAliveCountMax 3"`
* `-o "ExitOnForwardFailure yes"`
* `-T` disable pseudo terminal allocation
* `-N` don't execute any command on the server
* `-n` redirect stdin to /dev/null (necessary as we run this command in background)
* `-q` disable most output
* `-a` don't forward the authentication agent connection
* `-k` disable forwarding of GSSAPI credentials
* `-x` dsable X11 forwarding
* `-o "TCPKeepAlive yes"` enable SSH's built in self monitring
* `-o "ServerAliveInterval 5"` send test messages every five seconds
* `-o "ServerAliveCountMax 3"` mark connection as failed after 3 lost test messages
* `-o "ExitOnForwardFailure yes"` quit ssh process if self check or __any of the forwardings__ fail (this is a crucial feature missing in autossh)
* `-4` (not shown above) is optional to foce ssh to use IPv4 only (in case of problems with IPv6)
* `-L` (can be repeated multiple times)
* `-R` (can be repeated multiple times)